WO2021070352A1 - Système d'association de graphes et procédé d'association de graphes - Google Patents

Système d'association de graphes et procédé d'association de graphes Download PDF

Info

Publication number
WO2021070352A1
WO2021070352A1 PCT/JP2019/040129 JP2019040129W WO2021070352A1 WO 2021070352 A1 WO2021070352 A1 WO 2021070352A1 JP 2019040129 W JP2019040129 W JP 2019040129W WO 2021070352 A1 WO2021070352 A1 WO 2021070352A1
Authority
WO
WIPO (PCT)
Prior art keywords
unit
graph
dependency
log
association
Prior art date
Application number
PCT/JP2019/040129
Other languages
English (en)
Japanese (ja)
Inventor
忠賢 千田
楊 鐘本
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to JP2021551065A priority Critical patent/JP7251649B2/ja
Priority to PCT/JP2019/040129 priority patent/WO2021070352A1/fr
Priority to US17/766,532 priority patent/US20230131800A1/en
Publication of WO2021070352A1 publication Critical patent/WO2021070352A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/906Clustering; Classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Definitions

  • the present invention relates to a graph association system and a graph association method.
  • the conventional method of constructing a dependency graph is based on the premise that all OS-level actions performed on the terminal are recorded in a log. However, if all OS-level actions are recorded in a log, a huge amount of logs will be recorded, so the actions are only partially recorded in the actual environment. Therefore, even if the existing method is used in the actual environment, the dependency graph to be constructed may include only a part of the attacker's actions, and the dependency graph may not be constructed properly.
  • the present invention has been made in view of the above, and an object of the present invention is to appropriately construct a dependency graph even when all OS-level actions are not recorded in a log.
  • the graph association system of the present invention includes a construction unit that constructs a plurality of dependency graphs in which input logs are associated with each other, and each dependency constructed by the construction unit. It is characterized by having an assigning unit that assigns tags to the graphs, and an associating unit that associates dependent graphs with each other based on the tags assigned by the assigning unit.
  • the graph associating method of the present invention is a graph associating method executed by the graph associating system, and is constructed by a construction step of constructing a plurality of dependent graphs in which input logs are associated with each other and the construction step. It is characterized by including an addition step of assigning a tag to each dependency graph and an association step of associating the dependency graphs with each other based on the tag assigned by the addition step.
  • the dependency graph can be appropriately constructed even when all the actions at the OS level are not recorded in the log.
  • FIG. 1 is a diagram showing an example of the configuration of the graph association system according to the embodiment.
  • FIG. 2 is a diagram showing an example of the configuration of the information processing apparatus shown in FIG.
  • FIG. 3 is a diagram illustrating an outline of graph association processing by the information processing apparatus.
  • FIG. 4 is a diagram illustrating an example of element extraction processing by the element extraction unit.
  • FIG. 5 is a diagram illustrating an operation example of the Back Tracker.
  • FIG. 6 is a diagram illustrating an operation example of the Back Tracker.
  • FIG. 7 is a diagram illustrating an operation example of the Back Tracker.
  • FIG. 8 is a diagram illustrating an operation example of the Back Tracker.
  • FIG. 9 is a diagram illustrating an operation example of the Back Tracker.
  • FIG. 1 is a diagram showing an example of the configuration of the graph association system according to the embodiment.
  • FIG. 2 is a diagram showing an example of the configuration of the information processing apparatus shown in FIG.
  • FIG. 3 is a diagram illustrating an
  • FIG. 10 is a diagram illustrating an operation example of the Back Tracker.
  • FIG. 11 is a diagram illustrating an operation example of the Back Tracker.
  • FIG. 12 is a diagram illustrating an example of association processing in log units by the construction unit.
  • FIG. 13 is a diagram illustrating an example of association processing in log units by the construction unit.
  • FIG. 14 is a diagram illustrating an example of association processing for each log by the construction unit.
  • FIG. 15 is a diagram illustrating an example of a tag assigned to the dependency graph by the assigning unit.
  • FIG. 16 is a diagram showing an example of a signature for a tag.
  • FIG. 17 is a diagram showing an example of a signature obtained from ATT & CK.
  • FIG. 18 is a diagram illustrating an example of tag addition processing by the addition unit.
  • FIG. 19 is a diagram illustrating an example of association processing in graph units by the association unit.
  • FIG. 20 is a diagram illustrating an example of association processing in graph units by the association unit.
  • FIG. 21 is a diagram illustrating an example of association processing in graph units by the association unit.
  • FIG. 22 is a diagram illustrating an example of association processing in graph units by the association unit.
  • FIG. 23 is a diagram illustrating an example of association processing in graph units by the association unit.
  • FIG. 24 is a flowchart showing a processing procedure of the information processing method according to the embodiment.
  • FIG. 25 is a diagram showing an example of a computer in which an information processing apparatus is realized by executing a program.
  • FIG. 1 is a diagram showing an example of the configuration of the graph association system according to the embodiment.
  • the graph association system shown in FIG. 1 has, for example, a configuration in which an information processing device 10 and a log holding device 20 are connected via a network N such as the Internet or a dedicated line.
  • the information processing device 10 is a terminal device used by an analyst for a survey.
  • the information processing device 10 constructs a dependency graph in which logs recorded before the log in which the attack was discovered are associated with each other among the input logs. Then, the information processing apparatus 10 attaches a tag to the constructed dependency graph, associates the dependency graphs with each other based on the added tag, and reconstructs the dependency graph.
  • the log holding device 20 holds the log to be investigated by the analyst.
  • the log holding device 20 provides the information processing device 10 with the log to be investigated via the network N.
  • the information processing device 10 may hold the log to be investigated in the device instead of the log holding device 20.
  • FIG. 2 is a block diagram showing the configuration of the information processing apparatus 10 shown in FIG.
  • the information processing device 10 includes a communication unit 11, an input unit 12, an output unit 13, a storage unit 14, and a control unit 15.
  • the communication unit 11 is a communication interface for transmitting and receiving various information to and from other devices connected via a network or the like.
  • the communication unit 11 is realized by a NIC (Network Interface Card) or the like, and communicates between another device and the control unit 15 via a telecommunication line such as a LAN (Local Area Network) or the Internet.
  • a NIC Network Interface Card
  • the communication unit 11 inputs the log (log file) of the investigation target input via the network N or the like to the control unit 15.
  • the input unit 12 is an input interface that receives various operations from the operator of the information processing device 10.
  • the input unit 12 is composed of an input device such as a touch panel, a voice input device, and a keyboard and a mouse.
  • the output unit 13 is realized by, for example, a display device such as a liquid crystal display, a printing device such as a printer, an information communication device, or the like.
  • the output unit 13 outputs the reconstructed dependency graph to the operator (for example, an analyst).
  • the storage unit 14 is realized by a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory (Flash Memory), or a storage device such as a hard disk or an optical disk, and is a processing program or a processing program for operating the information processing device 10. Data used during execution of is stored.
  • a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory (Flash Memory)
  • flash memory Flash Memory
  • Storage unit 14 is realized by a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory (Flash Memory), or a storage device such as a hard disk or an optical disk, and is a processing program or a processing program for operating the information processing device 10. Data used during execution of is stored.
  • the control unit 15 has an internal memory for storing a program that defines various processing procedures and required data, and executes various processing by these.
  • the control unit 15 is an electronic circuit such as a CPU (Central Processing Unit) or an MPU (Micro Processing Unit).
  • the control unit 15 has an element extraction unit 15a, a construction unit 15b, an addition unit 15c, and an association unit 15d.
  • FIG. 3 is a diagram illustrating an outline of graph association processing by the information processing apparatus.
  • the element extraction unit 15a receives the log file, extracts only the elements necessary for processing, and notifies the construction unit 15b of the log consisting of only the elements (see (2) in FIG. 3). ).
  • the construction unit 15b constructs the dependency graph by using the existing causal analysis method, and notifies the granting unit 15c of the set of the dependency graphs (see (3) in FIG. 3).
  • the construction unit 15b continues to construct the dependency graph until all the logs recorded before the log (detection point) that triggered the detection of the attack belong to one of the dependency graphs.
  • the granting unit 15c attaches a tag to each dependency graph in order to associate the constructed dependency graphs with each other, and notifies the association section 15d of the tagged dependency graph set (see (4) in FIG. 3).
  • the adding unit 15c performs tagging based on the tag indicating Tactics and the signature (trace indicating that the attack has been executed) information corresponding to each tag.
  • the granting unit 15c uses a signature acquired from a trace (Indicator of Compromise) indicating the existence of a threat described in ATT & CK or the like, and tags the dependency graph constructed by the building unit 15b.
  • tags are assigned with reference to Tactics, Techniques and Procedures (TTPs), and have a priority corresponding to the stage of the attack.
  • association unit 15d associates the dependency graphs with each other using tags, and outputs the dependency graph reconstructed according to the association (see (5) in FIG. 3).
  • processing of each unit (element extraction unit 15a, construction unit 15b, addition unit 15c, association unit 15d) of the control unit 15 will be described returning to the description of FIG.
  • the element extraction unit 15a receives a log file and extracts an element for each log recorded therein.
  • the element extraction unit 15a may include, for example, "recording time”, “process ID”, “parent process ID”, “user ID”, “command line”, “destination address”, “destination port”, as elements to be extracted. Extract “file name”, “DNS domain name”, “IP address obtained by name resolution”, “process name”, “absolute path of GET request”, “absolute path of POST request” and the like.
  • the elements to be extracted are not limited to this. Further, the element extraction unit 15a may add or delete elements.
  • FIG. 4 is a diagram illustrating an example of element extraction processing by the element extraction unit 15a.
  • the element extraction unit 15a determines the recording time "2018-07-11T10: 28: 06.078110000Z", the destination address "192.168.56.101", the source address "10.0.2.15", and the destination port "8080". , Extract the source port "49636". Then, the element extraction unit 15a outputs a log composed of the extracted elements to the construction unit 15b.
  • An external device may perform the processing of the element extraction unit 15a. That is, the information processing device 10 may receive, for example, a log including only the elements necessary for processing from the log holding device 20.
  • the construction unit 15b constructs a plurality of dependency graphs in which the input logs are associated with each other. For example, the construction unit 15b constructs a plurality of dependency graphs in which logs recorded before the log in which the attack was discovered are associated with each other.
  • the construction unit 15b continues to construct the dependency graph by using a predetermined causal analysis method until all the logs recorded before the detection point belong to one of the dependency graphs.
  • the construction unit 15b constructs one or more dependency graphs by the following procedure using the causal analysis method. 1. 1. Build a dependency graph from the detection point using the causal analysis method. 2. Construct a dependency graph using the causal analysis method from the log recorded before the detection point, which is the latest log recorded in the log not included in the dependency graph constructed so far. Until the latest recorded log among the logs not included in the dependency graph constructed so far disappears. Continue
  • FIGS. 5 to 11 are diagrams for explaining an operation example of the Back Tracker.
  • the construction unit 15b constructs a dependency graph by using the log that triggered the discovery as a detection point and associating the logs in reverse chronological order.
  • Back Tracker constructs a dependency graph from "process C writes file X" which is a log of time 6 which is a detection point. That is, in the example of FIG. 5, the Back Tracker constructs a dependency graph in which "process C" and "file X" are used as nodes, and such nodes are connected by arrows.
  • the Back Tracker constructs a dependency graph from the log "process C reads file 1" of time 5 which is one before time 6 of the detection point. That is, in the example of FIG. 6, the Back Tracker constructs a dependency graph connecting such nodes with arrows as a node in which the node of "process C" and the node of "file 1" are related.
  • the Back Tracker builds a dependency graph from the log "process A creates process C" of time 4 which is one before time 5. That is, in the example of FIG. 7, the Back Tracker constructs a dependency graph connecting such nodes with arrows as a node in which the node of "process C" and the node of "process A" are related.
  • the Back Tracker constructs a dependency graph from the log "process A reads file 0" of time 3 which is one before time 4. That is, in the example of FIG. 8, the Back Tracker constructs a dependency graph connecting such nodes with arrows as a node in which the node of "process A” and the node of "file 0" are related. Note that the log "process B writes file 2" of time 2 that is one before time 3 is not included in this dependency graph as a log that is less relevant to the log of time 6 of the detection point.
  • the Back Tracker constructs a dependency graph from the log "process B writes file 1" of time 1 which is one before time 2. That is, in the example of FIG. 9, the Back Tracker constructs a dependency graph connecting such nodes with arrows as a node in which the node of "process B" and the node of "file 1" are related.
  • Back Tracker constructs a dependency graph from the log "process A creates process B" of time 0, which is one before time 1. That is, in the example of FIG. 10, the Back Tracker constructs a dependency graph connecting such nodes with arrows as a node in which the node of "process A" and the node of "process B" are related.
  • BackTracker performs the above-mentioned processing for constructing the dependency graph, and as illustrated in FIG. 11, constructs the dependency graph expressing the relationship between the logs by connecting each node with an arrow. To do.
  • the logs are associated with each other from the detection point by using the above-mentioned Back Tracker method.
  • the detection point is associated with the Back Tracker
  • the time 5 log and the time 4 log are associated with the time 5 log and the time 2 log.
  • the construction unit 15b associates the logs with the log recorded before the detection point and the log closest to the detection point among the logs not associated by the Back Tracker as the start point. To start.
  • the log recorded before the detection point and the log not associated by the Back Tracker is the time 3 log, and the log association is started with the time 3 log as the start point.
  • the construction unit 15b creates a dependency graph by associating the logs with the log of time 3 as a start point.
  • the construction unit 15b associates the logs with the log at time 0 as the start point, and creates a dependency graph. In this way, the construction unit 15b repeats the process of associating the logs and constructing the dependency model until time 0 is reached.
  • the granting unit 15c assigns a tag to each dependency graph constructed by the construction unit 15b.
  • the granting unit 15c may assign a tag number indicating the stage of attack as a tag.
  • the granting unit 15c adds a tag (Tactics ID) representing Tactics to each dependency graph constructed by the construction unit 15b.
  • Tactics ID a tag representing Tactics
  • the attacker's attack method ATT & CK see MITER ATT & CK, https://attack.mitre.org
  • ATT & CK is a security framework created by analyzing attackers' attack methods and tactics.
  • FIG. 15 is a diagram illustrating an example of a tag attached to the dependency graph by the addition unit 15c.
  • the example of FIG. 15 exemplifies a security framework created by analyzing an attacker's attack method and tactics, and the transition of attacks (TTPs, Techniques and Procedures) from left to right is the transition of attacks (Tactics, Techniques and Procedures). Life cycle) is shown.
  • TTPs, Techniques and Procedures transition of attacks
  • Tactics Techniques and Procedures
  • Life cycle is shown.
  • the tag of Tactics "Initial Access” is Tactics ID "1”
  • the tag of Tactics "Exaction” is Tactics ID "2".
  • a signature for the tag shall be prepared in advance. For example, obtain a signature from ATT & CK or the like.
  • the signature is a trace indicating that the attack has been executed, and shall be described by a regular expression.
  • FIG. 16 is a diagram showing an example of a signature for a tag. As illustrated in FIG. 16, it is assumed that a signature is set for each set of Tactics and Tactics ID. Signatures are traces left when an attacker performs an attack technique.
  • the signature shall be obtained from ATT & CK.
  • FIG. 17 is a diagram showing an example of a signature obtained from ATT & CK.
  • ATT & CK describes the attack method used by the attacker and its details.
  • traces character strings surrounded by a frame left when the attacker executes the attack method are described.
  • this trace is used as a signature.
  • the present invention is not limited to the case where the signature is acquired from ATT & CK, and can be replaced by other signature acquisition methods. For example, it is possible to use a signature independently obtained by the user.
  • FIG. 18 is a diagram illustrating an example of tag addition processing by the addition unit.
  • the granting unit 15c searches each dependent graph for a signature that matches information about the graph such as a file name. Then, when a matching signature exists, the adding unit 15c adds a tag corresponding to the signature to the dependency graph.
  • the assigning unit 15c adds "2" as a tag to the dependency graph. Give.
  • the associating unit 15d associates the dependency graphs with each other based on the tags given by the giving unit 15c.
  • the association unit 15d is among a plurality of dependency graphs constructed by the construction unit 15b, among the dependency graphs to which the tag numbers smaller than the tag numbers attached to the dependency graph including the log in which the attack is discovered are assigned. Then, the dependency graph with the largest tag number is associated in order. That is, the association unit 15d starts processing from the dependency graph including the log (detection point) in which the attack is discovered, and the number of the closest tag among the tag numbers smaller than the Tactics ID added to the dependency graph is assigned. Associate the dependent graphs that have been created.
  • FIGS. 19 to 23 are diagrams illustrating an example of association processing in graph units by the association unit 15d.
  • the dependency graphs of G 0 to G 6 are a plurality of dependency graphs constructed by the construction unit 15b.
  • the Tactics ID of the G 0 dependency graph is “5”
  • the Tactics ID of the G 3 and G 5 dependency graphs is “4”.
  • the dependency graph of G 1 and G 6 has a Tactics ID of "3".
  • the association unit 15d queues a graph containing a detection point for a set of dependent graphs constructed by the Back Tracker.
  • the associating unit 15d places the graph G 0 in the queue.
  • the association unit 15d extracts one dependency graph from the beginning of the queue.
  • G be the extracted dependency graph, and queue the dependency graph that satisfies the following conditions 1 and 2.
  • Condition 1 It is a Tactics ID given to any of the graphs.
  • Condition 2. It is less than the Tactics ID of the dependency graph G, and is given the Tactics ID closest to the Tactics ID of the dependency graph G.
  • the association unit 15d queues the graphs of G 3 and G 5 in which the Tactics ID of G is “5” and the Tactics ID satisfying the above conditions is “4”.
  • the Tactics ID of the queued dependency graph G is "5".
  • the association unit 15d has the Tactics IDs "5", "4", and "3" assigned to any of the graphs, and is less than the Tactics ID "5" of the dependency graph G, and the dependency graph G. add dependency graph G 3, and G 5 is closest Tactics ID to the Tactics ID "5", "4" to the queue.
  • the association unit 15d associates the dependency graph G with the newly queued dependency graph.
  • the association unit 15d connects the dependency graph G (G 0 ) and the dependency graphs G 3 and G 5 with arrows.
  • the associating unit 15d is a dependency graph G 3, and G 5 and dependency graph G, similarly, placed in the dependency graph that satisfies conditions 1 and 2 above to the queue, the dependency graph G, were placed in a new queue Associate with a dependency graph.
  • the association unit 15d repeats such a process until there are no unrelated dependency graphs, so that the dependency graphs are associated with each other as illustrated in FIG. 23.
  • the information processing device 10 tags a plurality of dependency graphs and then uses the tags to associate the dependency graphs with each other to create a dependency graph representing a series of actions of the attacker. Can be rebuilt. Therefore, the information processing apparatus 10 can construct an association-dependent graph by associating logs that were not related by the conventional method.
  • the information processing device 10 performs an attacker's behavior even when all OS-level behavior is not recorded in the log collected by the analyst from the damaged environment in the incident investigation. It enables the construction of a dependency graph that includes all of them.
  • the information processing apparatus 10 when an analyst investigates an incident using a dependency graph, it is possible to reduce the risk of missing a log necessary for clarifying the incident situation. Is.
  • FIG. 24 is a flowchart showing a processing procedure of the information processing method according to the embodiment.
  • the element extraction unit 15a of the information processing apparatus 10 extracts only the elements necessary for processing for each input log (step S101), and constructs a log composed of only the extracted elements. Output to unit 15b.
  • the construction unit 15b determines whether or not there is a log that has not yet been associated among the logs recorded before the detection point (step S102). As a result, when the construction unit 15b determines that there is a log that has not yet been associated among the logs recorded before the analysis point (step S102 affirmative), the construction unit 15b has the most detection point among the logs that have not yet been associated.
  • a causal analysis method for example, Back Tracker
  • a dependency graph is constructed.
  • step S102 the construction unit 15b repeats the process of S103 until there are no unrelated logs.
  • step S102 determines that there is no unrelated log among the logs recorded before the detection point (step S102 is denied)
  • the addition unit 15c is assigned to each dependency graph. Tagging is performed using the signature (step S104).
  • association unit 15d associates the dependency graphs with each other using the tag added to the dependency graph (step S105). After that, the association unit 15d may reconstruct the dependency graph based on the association between the dependency graphs and output the reconstructed dependency graph. Analysts use dependency graphs to investigate incidents.
  • the information processing device 10 of the graph association system 100 constructs a plurality of dependency graphs in which the input logs are associated with each other. Then, the information processing device 10 attaches a tag to each of the constructed dependent graphs. Subsequently, the information processing device 10 associates the dependency graphs with each other based on the added tags. As a result, the information processing apparatus 10 can appropriately construct the dependency graph even when all the actions at the OS level are not recorded in the log.
  • the information processing device 10 tags a plurality of dependency graphs and then uses the tags to associate the dependency graphs with each other to create a dependency graph representing a series of actions of the attacker. It can be reconstructed, and it is possible to construct an association dependency graph by associating logs that were not related by the conventional method.
  • the information processing device 10 is an attacker even if all OS-level actions are not recorded in the log collected by the analyst from the damaged environment in the incident investigation. It enables the construction of a dependency graph that includes all of the actions of.
  • the information processing apparatus 10 for example, when an analyst investigates an incident using a dependency graph, it is possible to reduce the risk of missing a log necessary for clarifying the incident situation. Is.
  • each component of each of the illustrated devices is a functional concept, and does not necessarily have to be physically configured as shown in the figure. That is, the specific form of distribution / integration of each device is not limited to the one shown in the figure, and all or part of the device is functionally or physically distributed / physically in arbitrary units according to various loads and usage conditions. Can be integrated and configured. Further, each processing function performed by each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.
  • FIG. 25 is a diagram showing an example of a computer in which the information processing apparatus 10 is realized by executing a program.
  • the computer 1000 has, for example, a memory 1010 and a CPU 1020.
  • the computer 1000 also has a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. Each of these parts is connected by a bus 1080.
  • the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012.
  • the ROM 1011 stores, for example, a boot program such as a BIOS (Basic Input Output System).
  • BIOS Basic Input Output System
  • the hard disk drive interface 1030 is connected to the hard disk drive 1090.
  • the disk drive interface 1040 is connected to the disk drive 1100.
  • a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100.
  • the serial port interface 1050 is connected to, for example, a mouse 1110 and a keyboard 1120.
  • the video adapter 1060 is connected to, for example, the display 1130.
  • the hard disk drive 1090 stores, for example, an OS (Operating System) 1091, an application program 1092, a program module 1093, and program data 1094. That is, the program that defines each process of the information processing apparatus 10 is implemented as a program module 1093 in which a code that can be executed by a computer is described.
  • the program module 1093 is stored in, for example, the hard disk drive 1090.
  • the program module 1093 for executing the same processing as the functional configuration in the information processing apparatus 10 is stored in the hard disk drive 1090.
  • the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
  • the setting data used in the processing of the above-described embodiment is stored as program data 1094 in, for example, a memory 1010 or a hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 into the RAM 1012 as needed, and executes the program.
  • the program module 1093 and the program data 1094 are not limited to those stored in the hard disk drive 1090, but may be stored in, for example, a removable storage medium and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN, WAN (Wide Area Network), etc.). Then, the program module 1093 and the program data 1094 may be read by the CPU 1020 from another computer via the network interface 1070.
  • LAN Local Area Network
  • WAN Wide Area Network

Abstract

La présente invention porte sur un dispositif de traitement d'informations (10) d'un système d'association de graphes (100), qui construit une pluralité de graphes dépendants dans lesquels des journaux entrés sont associés les uns aux autres. Le dispositif de traitement d'informations (10) marque ensuite les graphes dépendants construits respectifs. Ensuite, le dispositif de traitement d'informations (10) associe les graphes dépendants les uns aux autres sur la base des marqueurs ajoutés.
PCT/JP2019/040129 2019-10-10 2019-10-10 Système d'association de graphes et procédé d'association de graphes WO2021070352A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
JP2021551065A JP7251649B2 (ja) 2019-10-10 2019-10-10 グラフ関連付けシステムおよびグラフ関連付け方法
PCT/JP2019/040129 WO2021070352A1 (fr) 2019-10-10 2019-10-10 Système d'association de graphes et procédé d'association de graphes
US17/766,532 US20230131800A1 (en) 2019-10-10 2019-10-10 Graph-associating system and graph-associating method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2019/040129 WO2021070352A1 (fr) 2019-10-10 2019-10-10 Système d'association de graphes et procédé d'association de graphes

Publications (1)

Publication Number Publication Date
WO2021070352A1 true WO2021070352A1 (fr) 2021-04-15

Family

ID=75438111

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/040129 WO2021070352A1 (fr) 2019-10-10 2019-10-10 Système d'association de graphes et procédé d'association de graphes

Country Status (3)

Country Link
US (1) US20230131800A1 (fr)
JP (1) JP7251649B2 (fr)
WO (1) WO2021070352A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115086071A (zh) * 2022-07-20 2022-09-20 中孚安全技术有限公司 一种基于日志因果溯源的数据窃取检测方法、系统及设备

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016060067A1 (fr) * 2014-10-14 2016-04-21 日本電信電話株式会社 Dispositif de spécification, procédé de spécification et programme de spécification
WO2018079439A1 (fr) * 2016-10-27 2018-05-03 日本電気株式会社 Dispositif d'estimation de portée d'effets incidents, procédé d'estimation de portée d'effets incidents, support de memoire et système

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8869023B2 (en) * 2007-08-06 2014-10-21 Ricoh Co., Ltd. Conversion of a collection of data to a structured, printable and navigable format
US11601442B2 (en) * 2018-08-17 2023-03-07 The Research Foundation For The State University Of New York System and method associated with expedient detection and reconstruction of cyber events in a compact scenario representation using provenance tags and customizable policy
US11620300B2 (en) * 2018-09-28 2023-04-04 Splunk Inc. Real-time measurement and system monitoring based on generated dependency graph models of system components

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016060067A1 (fr) * 2014-10-14 2016-04-21 日本電信電話株式会社 Dispositif de spécification, procédé de spécification et programme de spécification
WO2018079439A1 (fr) * 2016-10-27 2018-05-03 日本電気株式会社 Dispositif d'estimation de portée d'effets incidents, procédé d'estimation de portée d'effets incidents, support de memoire et système

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115086071A (zh) * 2022-07-20 2022-09-20 中孚安全技术有限公司 一种基于日志因果溯源的数据窃取检测方法、系统及设备
CN115086071B (zh) * 2022-07-20 2022-12-06 中孚安全技术有限公司 一种基于日志因果溯源的数据窃取检测方法、系统及设备

Also Published As

Publication number Publication date
US20230131800A1 (en) 2023-04-27
JP7251649B2 (ja) 2023-04-04
JPWO2021070352A1 (fr) 2021-04-15

Similar Documents

Publication Publication Date Title
US9734005B2 (en) Log analytics for problem diagnosis
Ma et al. Protracer: Towards practical provenance tracing by alternating between logging and tainting
US9294486B1 (en) Malware detection and analysis
US11216342B2 (en) Methods for improved auditing of web sites and devices thereof
WO2018120721A1 (fr) Procédé et système pour tester une interface utilisateur, dispositif électronique et support de stockage lisible par ordinateur
EP2947595A1 (fr) Système d'analyse d'attaque, dispositif de coordination, procédé de coordination d'analyse d'attaque, et programme
US20210385251A1 (en) System and methods for integrating datasets and automating transformation workflows using a distributed computational graph
JP2015079504A (ja) ネットワーク動作アーチファクトの順序によるマルウェアの分類
CN110247933B (zh) 实现防火墙策略的方法和装置
US20210294896A1 (en) Endpoint detection and response attack process tree auto-play
CN110362994B (zh) 恶意文件的检测方法、设备和系统
US11546380B2 (en) System and method for creation and implementation of data processing workflows using a distributed computational graph
US10970391B2 (en) Classification method, classification device, and classification program
CN109951359A (zh) 分布式网络资产异步扫描方法及设备
US10986112B2 (en) Method for collecting cyber threat intelligence data and system thereof
JP6282217B2 (ja) 不正プログラム対策システムおよび不正プログラム対策方法
CN110830500B (zh) 网络攻击追踪方法、装置、电子设备及可读存储介质
US8650546B2 (en) Static analysis based on observed string values during execution of a computer-based software application
WO2021070352A1 (fr) Système d'association de graphes et procédé d'association de graphes
JP2022100232A (ja) 根本原因解析のために経時的にフォレンジックスナップショットを相互参照するためのシステムおよび方法
US20220237302A1 (en) Rule generation apparatus, rule generation method, and computer-readable recording medium
CN115766258B (zh) 一种基于因果关系图的多阶段攻击趋势预测方法、设备及存储介质
US20210390178A1 (en) Information processing device and information processing program
CN114143079B (zh) 包过滤策略的验证装置及方法
US20230229717A1 (en) Optimized real-time streaming graph queries in a distributed digital security system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19948752

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2021551065

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19948752

Country of ref document: EP

Kind code of ref document: A1